Noam Rotem, a hacker and activist, found the internet-exposed Elasticsearch database, which does not appear to have been password protected, earlier this month as part of what he calls an ethical hacking project, according to a March 15 blog post on VPNMentor. Once inside the database, Rotem found a treasure trove of personal data from multiple countries that was not encrypted.

It's not clear when the data was first exposed - Rotem found it on about March 1, according to the blog - or if anyone has taken advantage of it. Gearbest acknowledged in a statement that a member of the security team turned off a firewall for a short time.

Gearbest is a large e-commerce and retail site based in China that mainly sells electronics and appliances, but also deals in clothing and other goods. The company ships to over 250 countries and has subdomains in about 18 languages, including English.

Customer Data Exposed

Inside the main Elasticsearch database, Rotem says, he found three distinct databases - for orders, payments/invoices and members - that included a wealth of customer data, including: customer names, products purchased, shipping addresses, email addresses, phone numbers, order numbers, payment types, payment information, dates of birth, IP address, and national ID and passport information.

"An open database filled with personal information can compromise users' safety online. The records we saw show full sets of unencrypted data, including email addresses and passwords," according to the VPNMentor blog post.

Only a small portion of the exposed personal data is needed to complete an order or buy a product from the site, the researchers note. They also say there's no reason for the company retain data such as the IP address of a customer.

Gearbest Response

When Rotem and VPNMentor first published their findings, Gearbest and its parent company, Globalegrow, did not respond. Later, however, Rotem posted a response on Twitter. In its statement, Gearbest disputed some of the claims the security researchers made, including the number of customer records exposed, which the company calculated closer to 280,000.

Additionally, the company said it uses encryption to protect data.

As to how the database became exposed on the internet, the Gearbest statement suggested that a member of the company's security team took down a firewall around March 1. Why that happened is still under investigation by the company, according to the statement.

The amount of personal and customer data exposed could lead to a host of security problems for Gearbest's users, according to Avast, a Czech security vendor, which published a commentary about the incident.

"The amount of different personal information exposed is really worrisome," wrote Luis Corrons, a security expert with Avast wrote. "Apart from identity theft, it could be used to launch targeted attacks against potential victims, from sextortion to spear phishing."

Beyond ID Theft

The exposed database also may put Gearbest's corporate data at risk.

Rotem noted that researchers also found URLs in the exposed database that led to the Apache Kafka software that Gearbest, as well as Globalegrow, use as part of their platforms. This open source software is used by enterprises to prevent server overload and maintain efficiency, while allowing the businesses to collect big data analytics.

"This kind of access allows malicious hackers to manipulate information, reassign database properties and even disable entire sections of the company's server. Depending on the function of each server, this could disrupt data collection, order placement, and stock and warehouse management," the VPN Mentor blog noted.

About the Author

Ferguson is the managing editor for the news desk at Information Security Media Group. He's been covering the IT industry for more than 13 years. Before joining ISMG, Ferguson was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.eu, you agree to our use of cookies.